Configuring Application Acceleration

This chapter describes how to configure the optimization policies on your WAAS system that determine the types of application traffic that is accelerated over your WAN.

Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, SM-SRE modules running WAAS, and vWAAS instances.

About Application Acceleration

The WAAS software comes with over 150 predefined optimization policies that determine the type of application traffic your WAAS system optimizes and accelerates. These predefined policies cover the most common type of application traffic on your network. For a list of the predefined policies, see Appendix A, “Predefined Optimization Policy.”

Each optimization policy contains the following elements:

Application definition—Identifies general information about a specific application, such as the application name and whether the WAAS Central Manager collects statistics about this application.

Class Map—Contains a matching condition that identifies specific types of traffic. For example, the default HTTP class map matches all traffic going to ports 80, 8080, 8000, 8001, and 3128. You can create up to 512 class maps and 1024 matching conditions.

Policy—Combines the application definition and class map into a single policy. This policy also determines what optimization and acceleration features (if any) a WAAS device applies to the defined traffic. You can create up to 512 policies. A policy can also contain a differentiated services code point (DSCP) marking value that is applied to the traffic and that overrides a DSCP value set at the application or global level.

Note All application definitions configured in the WAAS Central Manager are globally applied to all WAAS devices that register with the WAAS Central Manager, regardless of the device group membership configuration.

WAAS policies can apply two kinds of optimizations to matched traffic:

Layer 4 optimizations that include TFO, DRE, and LZ compression. These features can be applied to all types of TCP traffic.

Layer 7 optimizations that accelerate application-specific protocols. The application accelerators control these kinds of optimizations.

For a given optimization policy, the DRE feature can use different caching modes (beginning with software version 4.4.1):

Bidirectional—The peer WAEs maintain identical caches for inbound and outbound traffic. This caching mode is best suited where a significant portion of the traffic seen in one direction between the peers is also seen in the reverse direction. In software versions prior to 4.4.1, this mode is the only supported caching mode.

Unidirectional—The peer WAEs maintain different caches for inbound and outbound traffic. This caching mode is best suited where a significant portion of the traffic seen in one direction between the peers is not seen in the reverse direction.

Adaptive—The peer WAEs negotiate either bidirectional or unidirectional caching based on the characteristics of the traffic seen between the peers.

The predefined optimization policies are configured to use the optimal DRE caching mode, depending on the typical application traffic, though you can change the mode if you want.

Enabling and Disabling the Global Optimization Features

The global optimization features determine if TFO Optimization, Data Redundancy Elimination (DRE), and Persistent Compression are enabled on a device or device group. By default, all of these features are enabled. If you choose to disable one of these features, the device will be unable to apply the full WAAS optimization techniques to the traffic that it intercepts.

In addition, the global optimization features include each of the following application accelerators: CIFS, EPM, HTTP, ICA, MAPI, NFS, SMB, SSL, and video. By default, all of the application accelerators are enabled except SMB. Encrypted MAPI is also not enabled by default. The application accelerators also require specific licenses to operate. For information on installing licenses, see the “Managing Software Licenses” section.

You must enable the accelerator on both of the peer WAEs at either end of a WAN link for all application accelerators to operate.

To enable or disable a global optimization feature, follow these steps:

NoteOn WAAS Express devices, only a subset of the standard features are available. (See Figure 13-2.) On ISR-WAAS devices, the CIFS application accelerator is not available and the SMB application accelerator is enabled by default. In the Enabled Features window for a device group, two SMB Accelerator options are shown, one for ISR-WAAS devices and one for all other kinds of WAEs.

Figure 13-1 Enabled Features Window

Figure 13-2 shows the subset of standard features that are available f or a WAAS Express device.

Figure 13-2 Enabled Features Window—WAAS Express

For WAAS Express, the following express versions of application accelerators are supported:

Step 3 Place a check next to the optimization features that you want to enable, and uncheck the features that you want to disable. For a description of each of the optimization features, see the “Key Services of Cisco WAAS” section.

Some features have additional settings that you can configure by clicking a link next to the setting name. Hover your cursor over the small target icon next to the link to see a pop-up window that shows the current settings.

Step 4 If you check the Data Redundancy Elimination check box, you can click the DRE Settings link as a shortcut to the DRE Settings Configuration window. For more information, see the “Configuring DRE Settings” section.

Step 5 If you check the CIFS Accelerator check box, you have the following option:

CIFS Print Accelerator—Check this box to accelerate print traffic between clients and a Windows print server. This accelerator is enabled by default when you enable the CIFS accelerator.

Note Do not disable CIFS Print Acceleration during a client session because this action can interfere with client use of print services. If you must disable CIFS Print Acceleration, disconnect and then reestablish the client session.

Step 6 If you check the HTTP Accelerator check box, you can click the HTTP Settings link as a shortcut to the HTTP/HTTPS Settings window. For more information, see the “Configuring HTTP Acceleration” section.

Step 7 If you check the ICA Accelerator check box, you can click the ICA Settings link as a shortcut to the ICA Acceleration Configuration window. For more information, see the “Configuring ICA Acceleration” section.

Step 8 If you check the MAPI Accelerator check box, you can click the MAPI Settings link as a shortcut to the MAPI Settings window.

Step 10 If you check the SMB Accelerator check box, you can click the SMB Settings link as a shortcut to the SMB Acceleration Configuration window. For more information, see the “Configuring SMB Acceleration” section.

Step 12 If you check the Video Accelerator check box, you can click the Video Settings link as a shortcut to the Video Acceleration Configuration window. For more information, see the “Configuring Video Acceleration” section.

Step 13 In the Advanced Settings area, uncheck the Blacklist Operation feature if you want to disable it. This feature allows a WAE to better handle situations in which TCP setup packets that have options are blocked or not returned to the WAE device. This behavior can result from network devices (such as firewalls) that block TCP setup packets that have options, and from asymmetric routes. The WAE can keep track of origin servers (such as those behind firewalls) that cannot receive optioned TCP packets and learns not to send out TCP packets with options to these blacklisted servers. WAAS is still able to accelerate traffic between branch and data center WAEs in situations where optioned TCP packets are dropped. We recommend leaving this feature enabled.

Step 14 If you want to change the default Blacklist Server Address Hold Time of 60 minutes, enter the new time in minutes in the Blacklist Server Address Hold Time field. The valid range is 1 minute to 10080 minutes (1 week).

When a server IP address is added to the blacklist, it remains there for configured hold time. After that time, subsequent connection attempts will again include TCP options so that the WAE can redetermine if the server can receive them. It is useful to retry sending TCP options periodically because network packet loss may cause a server to be erroneously blacklisted.

You can shorten or lengthen the blacklist time by changing the Blacklist Server Address Hold Time field.

Step 15 Click Submit.

The changes are saved to the device or device group.

To configure TFO optimization, DRE, and persistent compression from the CLI, use the tfo optimize global configuration command.

To configure CIFS acceleration from the CLI, use the accelerator cifs and accelerator cifs preposition global configuration commands.

To configure CIFS print acceleration from the CLI, use the accelerator windows-print global configuration command.

To configure EPM acceleration from the CLI, use the accelerator epm global configuration command.

To configure HTTP acceleration from the CLI, use the accelerator http global configuration command.

To configure ICA acceleration from the CLI, use the accelerator ica global configuration command.

To configure MAPI acceleration from the CLI, use the accelerator mapi global configuration command.

To configure NFS acceleration from the CLI, use the accelerator nfs global configuration command.

To configure SMB acceleration from the CLI, use the accelerator smb global configuration command.

To configure SSL acceleration from the CLI, use the accelerator ssl global configuration command.

To configure video acceleration from the CLI, use the accelerator video global configuration command.

To configure the Blacklist Operation feature from the CLI, use the tfo auto-discovery global configuration command.

To display status and statistics on the application accelerators from the CLI, use the show accelerator and show statistics accelerator EXEC commands. To display statistics on the CIFS print accelerator, use the show statistics windows-print requests EXEC command. To display statistics on the SMB print accelerator, use the show statistics accelerator smb EXEC command.

For details on configuring individual application accelerators, see the following sections:

To enable DRE auto bypass from the CLI, use the dre auto-bypass enable global configuration command.

To enable DRE load monitor from the CLI, use the dre load-monitor report global configuration command.

Configuring HTTP Acceleration

The HTTP application accelerator accelerates HTTP traffic. SSL traffic that uses HTTPS can be optimized by both SSL and HTTP optimizations.

The default Web optimization policy is defined to send traffic to the HTTP accelerator. The Web optimization policy uses the HTTP class map, which matches traffic on ports 80, 8080, 8000, 8001, and 3128. If you expect HTTP traffic on other ports, add the other ports to the HTTP class map.

To enable the HTTP accelerator, check the HTTP Accelerator check box in the Enabled Features window (see Figure 13-1).

Step 5 In the Maximum age of a cache entry field, enter the maximum number of seconds to retain HTTP header information in the cache. The default is 86400 seconds (24 hours). Valid time periods range from 5–2592000 seconds (30 days).

Step 6 In the Minimum age of a cache entry field, enter the minimum number of seconds to retain HTTP header information in the cache. The default is 60 seconds. Valid time periods range from 5 to 86400 seconds (24 hours).

Step 10 To configure specific file extensions to which metadata caching is to be applied, enter the file extensions in the File extension filters field at the far right. Separate multiple extensions with a comma (for example: jpeg, gif, png) and do not include the dot at the beginning of the file extension.

By default, no file extension filters are defined and therefore metadata caching applies to all file types.

Step 11 Check the Enable Pre-fetch Optimization check box to allow the edge WAAS device to prefetch data. This setting is not enabled by default.

By checking this box, you are telling the edge WAAS device to prefetch the subsequent pages of the documents from the SharePoint server before the client actually requests them and serve them from the cache when the request from the client arrives. You can now seamlessly scroll through the document without having to wait for the content to load.

Step 12 Check the Suppress server compression for HTTP and HTTPS check box to configure the WAE to suppress server compression between the client and the server. The default setting is checked.

By checking this box, you are telling the WAE to remove the Accept-Encoding value from HTTP and HTTPS request headers, preventing the web server from compressing HTTP and HTTPS data that it sends to the client. This allows the WAE to apply its own compression to the HTTP and HTTPS data, typically resulting in much better compression than the web server for most files. For some file types that rarely change, such as.css and.js files, this setting is ignored and web server compression is allowed.

Step 13 Check the Enable DRE Hints for HTTP and HTTPS check box to send DRE hints to the DRE module for improved DRE performance. The DRE hint feature is enabled by default.

Step 14 Click Submit.

The changes are saved to the device or device group.

To configure HTTP acceleration from the CLI, use the accelerator http global configuration command.

To show the contents of the metadata cache, use the show cache http-metadatacache EXEC command.

To clear the metadata cache, use the clear cache http-metadatacache EXEC command.

About HTTP Metadata Caching

The metadata caching feature allows the HTTP accelerator in the branch WAE to cache particular server responses and respond locally to clients. The following server response messages are cached:

HTTP 200 OK (Applies to If-None-Match and If-Modified-Since requests)

HTTP 301 redirect

HTTP 304 not modified (Applies to If-None-Match and If-Modified-Since requests)

HTTP 401 authentication required

Metadata caching is not applied in the following cases:

Requests and responses that are not compliant with RFC standards

URLs over 255 characters

301 and 401 responses with cookie headers

HEAD method is used

Pipelined transactions

Note The metadata caching feature is introduced in WAAS version 4.2.1, but version 4.2.1 is needed only on the branch WAE. This feature can interoperate with an HTTP accelerator on a data center WAE that has a lower version.

Using an HTTP Accelerator Subnet

The HTTP accelerator subnet feature allows you to selectively enable or disable specific HTTP optimization features for specific IP subnets by using ACLs. This feature can be applied to the following HTTP optimizations: HTTP metadata caching, HTTPS metadata caching, DRE hints, and suppress server compression.

To define IP subnets, use the ip access-list global configuration command. Refer to this command in the Cisco Wide Area Application Services Command Reference for information on configuring subnets. You can use both standard and extended ACLs.

To configure a subnet for an HTTP accelerator feature, follow these steps:

Step 1 Enable the global configuration for all the HTTP accelerator features that you want to use.

Step 3 Associate the ACL with a specific HTTP accelerator feature. Refer to the accelerator http global configuration command in the Cisco Wide Area Application Services Command Reference for information on associating an ACL with an HTTP accelerator feature.

WAE(config)# accelerator http metadatacache access-list md_acl

In this example, the HTTP metadata cache feature applies to all the connections that match the conditions specified in the extended access-list md_acl.

In the following example, the HTTP suppress-server-encoding feature applies to all the connections that match the conditions specified in the standard access-list 10.

Secure connections that use message authentication (signing) are not accelerated, and MAPI over HTTP is not accelerated.

Note Microsoft Outlook 2007 and 2010 have encryption enabled by default. You must disable encryption to benefit from the MAPI application accelerator.

The EPM application accelerator must be enabled for the MAPI application accelerator to operate. EPM is enabled by default. Additionally, the system must define an optimization policy of type EPM, specify the MAPI UUID, and have an Accelerate setting of MAPI. This policy, MAPI for the Email-and-Messaging application, is defined by default.

EPM traffic, such as MAPI, does not normally use a predefined port. If your Outlook administrator has configured Outlook in a nonstandard way to use a static port, you must create a new basic optimization policy that accelerates MAPI traffic with a class map that matches the static port that was configured for Outlook.

Note If the WAE becomes overloaded with connections, the MAPI application accelerator continues to accelerate MAPI connections by using internally reserved connection resources. If the reserved resources are also exceeded, new MAPI connections are passed through until connection resources become available.

To enable the MAPI accelerator, check the MAPI Accelerator check box in the Enabled Features window (see Figure 13-1).

Note When you enable MAPI acceleration, Encrypted MAPI acceleration is enabled by default.

Step 3 In the Reserved Pool Size Maximum Percent field, enter the maximum percent of connections to restrict the maximum number of connections reserved for MAPI optimization during TFO overload. It is specified as a percent of the TFO connection limit of the platform. Valid percent ranges from 5%-50%. The default is 15%, which would reserve approximately 0.5 connection for each client-server Association Group (AG) optimized by the MAPI accelerator.

The client maintains at least one AG per server it connects to with an average of about 3 connections per AG. For deployments that observe a greater average number of connections per AG, or where TFO overload is a frequent occurrence, a higher value for reserved pool size maximum percent is recommended.

Reserved connections would remain unused when the device is not under TFO overload. Reserved connections are released when the AG terminates.

Step 4 Click Submit. The changes are saved to the device or device group.

Task Flow for Configuring Encrypted MAPI

To configure Encrypted MAPI traffic acceleration, complete the tasks listed in Table 13-1. These tasks must be performed on both data center and branch WAEs unless specifically noted as not required (or optional).

Step 2 Configure NTP Settings to synchronize the time with Active Directory.

The WAAS device has to be in synchronization with Active Directory for Encrypted MAPI acceleration. The WAAS NTP server must share time synchronization with the Active Directory Domain Controllers domains for which traffic encryption is desired. Out of sync time will cause Encrypted MAPI acceleration to fail.

Note Kerberos authentication is used for Encrypted MAPI Acceleration. NTLM authentication method is not supported.

Step 7 Configure domain identities. (Not required for branch WAEs.)

You must have at least one account configured, either user or machine, that is configured with a domain identity. Each device can support up to 5 domain identities,1 machine account identity and 4 user account identities. This allows a WAAS device to accelerate up to 5 domain trees. You must configure a domain identity for each domain with an exchange server that has clients to be accelerated.

a. Configure the machine account identity.

A machine account for the core device was automatically created during the join process in the Windows Domain Server authentication procedure in the previous step. If you are using a machine account, a machine account identity must be configured for this account.

You may utilize up to four optional user accounts for additional security. Multiple user accounts provide greater security than having all of the core devices using a single user account. You are required to configure a user account identity for each user account, whether you are utilizing an existing user account or creating a new one.

From the Enabled Features window, check the Encrypted MAPI Traffic Optimization check box (the MAPI Accelerator check box must also be checked), and click Submit. Encrypted MAPI traffic optimization is enabled by default.

b. Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain space, ?, |), not exceeding 32 characters.

Note The domain identity must have sufficient privileges in the Windows Domain Active Directory to replicate the desired domain information to optimize encrypted traffic. To configure privileges, see the “Configuring Microsoft Active Directory” section.

To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain encrypted-service global configuration command and the show windows-domain encrypted-service EXEC command.

Creating and Configuring a User Account

To create a user account and configure a user account identity, follow these steps:

b. Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain space, ?, |), not exceeding 32 characters.

c. Enter username and password information.

d. Enter the domain name.

e. Enter the Kerberos realm.

Note The domain identity must have sufficient privileges in the Windows Domain Active Directory to replicate the desired domain information to optimize encrypted traffic. To configure privileges, see the “Configuring Microsoft Active Directory” section.

Note Secure store encryption is used for the user account domain identity password. If secure store cannot be opened, an alarm is raised indicating that the configuration updates could not be stored on the device. Once secure store can be opened and the configuration updates are successfully stored on the device, the alarm is cleared.

To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain encrypted-service global configuration command and the show windows-domain encrypted-service EXEC command.

Encrypted MAPI Acceleration Statistics

Configuring Video Acceleration

The video application accelerator accelerates Windows Media live video broadcasts that use RTSP over TCP. The video accelerator automatically splits one source video stream from the WAN into multiple streams to serve multiple clients on the LAN.

The video accelerator automatically causes the client that is requesting a UDP stream to do a protocol rollover to use TCP (if both the client and server allow TCP).

The default RTSP class map for the Streaming optimization policy is defined to send traffic to the video accelerator.

By default, the video accelerator sends any unaccelerated video traffic to be handled by the negotiated standard TCP optimization policy unless the video accelerator is explicitly configured to drop such traffic. You can choose to drop all unaccelerated video traffic or only traffic that is unaccelerated due to an overload condition.

To enable the video accelerator, check the Video Accelerator check box in the Enabled Features window (see Figure 13-1).

Step 3 In the Client First Message Reception Timeout field, enter the number of seconds to wait for the first message from the client and the first response from the server, after the connection is accepted by the video accelerator, before timing out the connection. Valid values range from 10–180 seconds. The default is 60.

Step 4 In the drop-down list, choose which unaccelerated video traffic to drop, as follows:

All —Drop all video traffic that is not being accelerated due to an unsupported transport or format, or overload. All Windows Media video-on-demand traffic and all non-Windows Media RTSP traffic is dropped.

Overload Only —Drop all video traffic that is not being accelerated due to an accelerator overload only.

None —Handle unaccelerated video connections with the negotiated TCP optimization policy. (The traffic is not dropped.)

Note Under some conditions, the video accelerator is not registered with the policy engine, such as when there is no valid license or in certain error conditions. If you configure the video accelerator to drop all unaccelerated video traffic, the policy engine drops all video traffic (even traffic that would have been accelerated if the video accelerator had been properly registered with the policy engine).

Step 5 Check the Enable transaction logs check box to enable transaction logging. This feature will generate a large amount of logging data. This box is unchecked by default. Click the More Settings link to go to the Windows Media Transaction Log Settings configuration page.

Step 7 In the Client Idle Connection timeout field, enter the maximum number of seconds to wait after the initial client request, while the client connection is idle, before timing out the connection. Valid values range from 30–300 seconds. The default is 60.

Step 8 Click Submit.

The changes are saved to the device or device group.

To configure video acceleration from the CLI, use the accelerator video global configuration command.

Configuring SMB Acceleration

The SMB application accelerator handles optimizations of file server operations. It can be configured to perform the following file server optimizations:

SMB Print Optimization—A centralized print deployment reduces management overhead and increases cost savings. SMB Print Optimization optimizes print traffic by utilizing a centralized printer server, which resides in the data center. This removes the need for local print servers in the branches. The three most common uses for a centralized printer server are: to print from branch client to branch printer, to print from branch client to data center printer, and to print from data center client to branch printer.

Read Ahead optimization—The SMB accelerator performs a read-ahead optimization on files that use the oplock feature. When a client sends a read request for a file, it is likely that it may issue more read requests for the same file. To reduce the use of network bandwidth to perform these functions over the WAN on the file server, the SMB accelerator performs read-ahead optimization by proactively reading more file data than what has been initially requested by the client.

Directory listing optimization—A significant portion of the traffic on the network is for retrieving directory listings. The SMB accelerator optimizes directory listings from the file server through prefetching. For directory prefetching, a request from the client is expanded to prefetch up to 64 KB of directory listing content. The SMB accelerator buffers the pre-fetched directory listing data until the client has requested all the data. If the directory listing size exceeds 64 KB then a subsequent request from the client is expanded by the SMB accelerator again to prefetch content up to 64 KB. This continues until all the entries of the directory are returned to the client.

Metadata optimization—The SMB accelerator optimizes fetching metadata from the file server through metadata prefetching. Additional metadata requests are tagged along with the client request and are sent to the file server to prefetch more information levels than what was requested by the client.

Named Pipe optimization—The SMB accelerator optimizes frequent requests from Windows Explorer to the file server to retrieve share, server, and workstation information. Each of these requests involves a sequence of operations that include opening and binding to the named pipe, making the RPC request, and closing the named pipe. Each operation incurs a round trip to the file server. To reduce the use of network bandwidth to perform these functions over the WAN on the file server, the SMB accelerator optimizes the traffic on the network by caching named pipe sessions and positive RPC responses.

Write optimization—The SMB accelerator performs write optimization by speeding up the write responses to the client by acknowledging the Write requests to the client whenever possible and, at the same time, streaming the Write request over the WAN to the server.

Not-Found Metadata caching—Applications sometimes send requests for directories and files that do not exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams (ADS) of the file it finds. With negative Not-Found (NF) metadata caching, the full paths to those nonexistent directories and files are cached so that further requests for the same directories and files get local denies to save the round-trips of sending these requests to the file servers.

DRE-LZ Hints—The SMB accelerator provides DRE hints to improve system performance and resources utilization. At the connection level, the SMB accelerator uses the BEST_COMP latency sensitivity level for all connections, as it gives the best compression. At the message level, the SMB accelerator provides message-based DRE hints for each message to be transmitted over the WAN.

Step 3 In the Highest Dialect Optimized drop-down list, choose the highest dialect to optimize. The available options are:

NTLM 0.12 or NTLM 1.0

SMB 2.0

SMB 2.1

Step 4 In the Highest Dialect Optimized Exceed Action drop-down list, choose the action for the dialects that are higher than the one chosen as the highest dialect to optimize, as follows:

Handoff—If the negotiated dialect is higher than the chosen highest dialect to optimize, the connection is handed off to the generic accelerator.

Mute—The dialects higher than the one chosen as the highest dialect to optimize are removed from the negotiation list.

Step 5 In the Bypass File Name Pattern text box, enter the patterns for the file names that you want the SMB accelerator to bypass optimization for. The files whose names match the specified expressions are not optimized.

Step 7 Check the Read Ahead Optimization check box to enable the SMB to optimize the quantity of read-ahead data from the file. The SMB performs a read-ahead optimization only when the file is opened using the ops lock feature. This box is checked by default.

Step 9 Check the Named Pipe Optimization check box to enable named pipe optimization by caching named pipe sessions and positive RPS responses. This box is checked by default.

Step 10 Check the Write Optimization check box to enable the write optimization by speeding up the write responses to the client. This box is checked by default

Step 11 Check the Microsoft Office Optimization check box to enable optimizations for all versions of Microsoft Office. The SMB accelerator does not perform read-ahead, write optimization, and lock-ahead for Microsoft Office if this optimization is disabled. This box is checked by default.

Step 14 Check the Batch Close Optimization check box to enable asynchronous file close optimizations. This box is checked by default.

Step 15 Click Submit to save the changes.

To configure SMB acceleration from the CLI, use the accelerator smb global configuration command.

Configuring CIFS Accelerator Express

The CIFS application accelerator express handles optimizations of file server operations on a WAAS Express device. It interoperates with either the standard CIFS accelerator or the standard SMB accelerator on a standard WAAS device.

CIFS accelerator express can be configured to perform the following file server optimizations:

Write optimization—CIFS accelerator express performs write optimization by speeding up the write responses to the client by acknowledging the Write requests to the client whenever possible and, at the same time, streaming the Write request over the WAN to the server.

Read Ahead optimization—CIFS accelerator express performs a read-ahead optimization on files that use the oplock feature. When a client sends a read request for a file, it is likely that it may issue more read requests for the same file. To reduce the use of network bandwidth to perform these functions over the WAN on the file server, the SMB accelerator performs read-ahead optimization by proactively reading more file data than what has been initially requested by the client.

ADS Negative Cache—Applications sometimes send requests for directories and files that do not exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams (ADS) of the file it finds. With ADS Negative caching, the full paths to those nonexistent directories and files are cached so that further requests for the same directories and files get local denies to save the round-trips of sending these requests to the file servers.

Step 3 Check the Write Optimization check box to enable the write optimization by speeding up the write responses to the client. This box is checked by default

Step 4 Check the Read Ahead Optimization check box to enable CIFS accelerator express to optimize the quantity of read-ahead data from the file. CIFS accelerator express performs a read-ahead optimization only when the file is opened using the ops lock feature. This box is checked by default.

Step 5 Check the ADS Negative Cache check box to enable caching pathnames of files not found. This box is checked by default.

Step 6 Click Submit to save the changes.

To configure CIFS accelerator express from the CLI, use the accelerator cifs global configuration command.

Configuring ICA Acceleration

The ICA application accelerator provides WAN optimization on a WAAS device for ICA (Independent Computing Architecture) traffic which is used to access a virtual desktop infrastructure (VDI). This is done through a process that is both automatic and transparent to the client and server.

ICA acceleration is enabled on a WAAS device by default.

To enable the ICA accelerator, check the ICA Accelerator check box in the Enabled Features window (see Figure 13-13).

Note MSI priority configuration might not apply to devices earlier than version 5.1.x.

Step 6 Click Submit.

The changes are saved to the device or device group.

To configure ICA acceleration from the CLI, use the accelerator ica global configuration command.

To verify the status of WAN Secure mode from the CLI, use the show accelerator wansecure EXEC command.

Configuring SSL Acceleration

The SSL application accelerator optimizes traffic on Secure Sockets Layer (SSL) encrypted connections. If SSL acceleration is not enabled, the WAAS software DRE optimizations are not very effective on SSL encrypted traffic. The SSL application acceleration enables WAAS to decrypt and apply optimizations while maintaining the security of the connection.

Note On a WAAS Express device, only SSL cipher list, SSL certificate authorities, and SSL peering service configuration is supported.

Note The SSL accelerator does not optimize protocols that do not start their SSL/TLS handshake from the very first byte. The only exception is HTTPS that goes through a proxy (where the HTTP accelerator detects the start of SSL/TLS). In this case, both HTTP and SSL accelerators optimize the connection.

The SSL application accelerator supports SSL Version 3 (SSLv3) and Transport Layer Security Version 1 (TLSv1) protocols. If a TLSv1.1 or TLSv1.2 client request is received, negotiation to downgrade to TLS v1.0 occurs. If refused by the client, the traffic is passed through.

Table 13-2 provides an overview of the steps you must complete to set up and enable SSL acceleration.

When you configure SSL acceleration, you must configure SSL accelerated service on the server-side (Data Center) WAE devices. The client-side (Branch) WAE needs to have its secure store initialized and unlocked/opened, but does not need to have the SSL accelerated service configured. However, the SSL accelerator must be enabled on both Data Center and Branch WAEs for SSL acceleration services to work. The WAAS Central Manager provides SSL management services and maintains the encryption certificates and keys.

Enabling Secure Store, the Enterprise License, and SSL Acceleration

Before you can use SSL acceleration on your WAAS system, you must perform the following steps:

Note If the SSL accelerator is already running, you must wait 2 datafeed poll cycles when registering a new WAE with a Central Manager before making any configuration changes, otherwise the changes may not take effect.

Step 3 To configure a device to use the SSL settings from a particular device group, choose the device group from Select a Device Group drop-down list located in SSL global settings toolbar. A device can either use its own SSL settings, or SSL settings from a device group. However, it is not possible to configure a device to use SSL settings from multiple device groups.

Step 4 In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to accept both SSL3 and TLS1 SSL protocols.

Choose ocsp-url SSL accelerator to use OCSP responder specified in the OCSP Responder URL field to check the revocation status of certificates. Choose ocsp-cert-url to use the OCSP responder URL specified in the Certificate Authority certificate that signed the certificate.

b. If the Ignore OCSP failures check box is enabled, the SSL accelerator will treat the OCSP revocation check as successful if it did not get a definite response from the OCSP responder.

Click Export Certificate Key to export the current certificate/key pair.

Click Generate Certificate Signing Request to renew or replace the existing certificate/key pair. The certificate signing request (CSR) is used by the Certificate Authority to generate a new certificate.

The file that you import or export must be in either a PKCS12 format or a PEM format.

If the certificate and private key are already configured, you can update the certificate only. In this case, the Central Manager constructs the certificate and private key pair using the imported certificate and current private key. This functionality can be used to update an existing self-signed certificate to one signed by the Certificate Authority, or to update an expiring certificate.

The Central Manager allows importing a certificate chain consisting of an end certificate that must be specified first, a chain of intermediate CA certificates that sign the end certificate or intermediate CA certificate, and end with a root CA.

The Central Manager validates the chain and rejects it if the validity date of the CA certificate is expired, or the signing order of certificates in the chain is not consequent.

c. Enter a pass-phrase to decrypt the private key, or leave this field empty if the private key is not encrypted.

c. Import certificate received from the Certificate Authority using the Importing existing certificate and optionally private key option.

Note The size of the key for a generated certificate request is the same as the size of the key in the current certificate.

Working with Cipher Lists

Cipher lists are sets of cipher suites that you can assign to your SSL acceleration configuration. A cipher suite is an SSL encryption method that includes the key exchange algorithm, the encryption algorithm, and the secure hash algorithm.

Step 10 (Optional) To change the priority of a cipher suite, check the cipher suite check box and then use the up or down arrow buttons located below the cipher list to prioritize.

Note The client-specified order for ciphers overrides the cipher list priority assigned here if the cipher list is applied to an accelerated service. The priorities assigned in this cipher list are only applicable if the cipher list is applied to SSL peering and management services.

Step 11 (Optional) To remove a cipher suite from the list, check the cipher suite’s box and then click Delete.

SSL configuration changes will not be applied on the device until the security license has been enabled on the device.

Working with Certificate Authorities

The WAAS SSL acceleration feature allows you to configure the Certificate Authority (CA) certificates used by your system. You can use one of the many well-known CA certificates that is included with WAAS or import your own CA certificate.

e. Add the certificate information by choosing on of the following methods:

– Upload PEM File

If you are uploading a file, it must be in a Privacy Enhanced Mail (PEM) format. Browse to the file that you want to use and click Upload.

– Paste PEM Encoded Certificate

If you are pasting the CA certificate information, paste the text of the PEM format certificate into the Paste PEM Encoded certificate field.

– Get CA Certificate using SCEP

This option automatically configures the certificate authority using Simple Certificate Enrollment Protocol. If you are using the automated certificate enrollment procedure, enter the CA URL and click Get Certificate. The contents of the certificate is displayed in text and PEM formats.

To complete the automated certificate enrollment procedure, you must configure the SSL auto enrollment settings in the “SSL Auto Enrollment” section.

f. Click Submit to save your changes.

Step 5 (Optional) To remove a Certificate Authority from the list, select it and then click the Delete icon located in the toolbar.

Step 6Click Submit when you are done configuring the CA certificate list.

SSL Auto Enrollment

The WAAS SSL acceleration feature allows you to enroll certificates automatically for a device (or device group) using SCEP. Once the CA certificate his been obtained, SSL auto enrollment settings must be configured.

Note You must configure the applicable certificate authority before configuring auto enrollment settings.

You can then check the enrollment status in the Machine Certificate section on the SSL Global Settings page and on the Alerts page.

Configuring SSL Management Services

SSL management services are the SSL configuration parameters that affect secure communications between the Central Manager and the WAE devices (see Figure 13-14). The certificate/key pairs used are unique for each WAAS device, and so SSL management services can only be configured for individual devices, not device groups.

Step 3 In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL protocols.

Note Management service SSL version and cipher settings configured for the WAAS Central Manager are also applied to SSL connections between the WAAS Central Manager and the browser of the user.

Primary and standby Central Managers must share a common management service version or cipher list. Changing the management service version and cipher list settings may result in a loss of connectivity between primary Central Manager and standby Central Manager and WAE devices.

Note Both Mozilla Firefox and Internet Explorer support SSLv3 and TLSv1 protocols, however TLSv1 may not be enabled by default. Therefore, you need to enable it in your browser.

Configuring ciphers or protocols that are not supported in your browser will result in connection loss between the browser and the Central Manager. If this occurs, configure the Central Manager management service SSL settings to the default in the CLI to restore the connection.

Some browsers, such as Internet Explorer, do not correctly handle a change of SSL version and cipher settings on the Central Manager, which can result in the browser showing an error page after submitting changes. If this occurs, reload the page.

Configuring SSL Peering Service

SSL peering service configuration parameters control secure communications established by the SSL accelerator between WAE devices while optimizing SSL connections (see Figure 13-14). The peering service certificate and private key is unique for each WAAS device and can only be configured for individual devices, not device groups.

Step 3 In the SSL Version field, choose the type of SSL protocol to use, or choose Inherited to use the SSL protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL protocols.

Note For a WAAS Express device, only SSL3 and TLS1 are supported for the SSL Version.

Step 4 To enable verification of peer certificates check Enable Certificate Verification check box. If certificate verification is enabled, WAAS devices that use self-signed certificates will not be able to establish peering connections to each other and, thus, not be able to accelerate SSL traffic.

Step 6 In the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration between the WAE device peers, or choose Inherited to use the cipher list configured in SSL global settings.

Note For a WAAS Express device, the list of cipher suites to be used for SSL acceleration is shown in the Cipher List pane.

Note For a WAAS Express device, SSL configuration changes will not be applied on the device until the security license has been enabled on the device.

Using SSL Accelerated Services

After you have enabled and configured SSL acceleration on your WAAS system, you must define at least one service to be accelerated on the SSL path. To configure SSL accelerated services, follow these steps:

Enabling the client version rollback check does not allow connections with an incorrect client version to be optimized.

Step 8 (Optional) Type a description of the service in the Description field.

Step 9 From the Server drop-down list, choose IP Address, Hostname, or Domain as the SSL service endpoint type. Type the server IP address, hostname, or domain of the accelerated server. Use the keyword Any to specify any server IP address. A maximum of 32 IP addresses, 32 hostnames, and 32 domains are allowed.

Note Hostname and domain server address types are supported only when using WAAS software version 4.2.x or later. Server IP address keyword Any is supported only when using WAAS Software version 4.2.x or later.

Step 10 Type the port associated with the service to be accelerated. Click Add to add each address. If you specify a server hostname, the Central Manager resolves the hostname to the IP address and adds it to the Server IP/Ports table.

Click Export Certificate Key to export the current certificate/key pair.

Click Generate Certificate Signing Request to renew or replace the existing certificate/key pair. The certificate signing request (CSR) is used by the Certificate Authority to generate a new certificate.

The file that you import or export must be in either a PKCS12 format or a PEM format.

Note If you change the certificate or key for an existing SSL accelerated service, you must uncheck the In service check box and click Submit to disable the service, then wait 5 minutes and check the In service check box and click Submit to reenable the service. Alternatively, at the WAE, you can use the no inservice SSL accelerated service configuration command, wait a few seconds, and then use the inservice command. If you are changing the certificate or key for multiple SSL accelerated services, you can restart all accelerated services by disabling and then reenabling the SSL accelerator.

Step 14 (Optional) In the SSL version field, choose the type of SSL protocol to use, or choose Inherited to use the SSL protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL protocols.

Step 15 (Optional) In the Cipher List field, choose a list of cipher suites to be used for SSL acceleration between the WAE device peers, or choose Inherited to use the cipher list configured in SSL global settings. For more information, see the “Working with Cipher Lists” section.

Prepare for creating an optimization policy.

Create an application definition.

Identifies general information about the application you want to optimize, such as the application name and whether the WAAS Central Manager collects statistics about this application. For more information, see the “Creating an Application Definition” section.

Create an optimization policy.

Determines the type of action your WAAS device or device group performs on specific application traffic. This step requires you to do the following:

Create application class maps that allow a WAAS device to identify specific types of traffic. For example, you can create a condition that matches all traffic going to a specific IP address.

Specify the type of action your WAAS device or device group performs on the defined traffic. For example, you can specify that WAAS should apply TFO and LZ compression to all traffic for a specific application.

Preparing to Create an Optimization Policy

Before you create a new optimization policy, complete the following preparation tasks:

Review the list of optimization policies on your WAAS system and make sure that none of these policies already cover the type of traffic you want to define. To view a list of the predefined policies that come bundled with the WAAS system, see Appendix A, “Predefined Optimization Policy.”

Identify a match condition for the new application traffic. For example, if the application uses a specific destination or source port, you can use that port number to create a match condition. You can also use a source or destination IP address for a match condition.

Identify the device or device group that requires the new optimization policy. We recommend you create optimization policies on device groups so the policy is consistent across multiple WAAS devices.

Creating an Application Definition

The first step in creating an optimization policy is to set up an application definition that identifies general information about the application, such as the application name and whether you want the WAAS Central Manager to collect statistics about the application. You can create up to 255 application definitions on your WAAS system.

The Applications window appears, which displays a list of all applications on your WAAS system. It also lists the device or device group from which it gets the settings. From this window, you can perform the following tasks:

Select an application and click the Edit icon in the task bar to modify or click the Delete icon in the task bar to delete.

Determine if your WAAS system is collecting statistics on an application. The Enable Statistics column displays Yes if statistics are being collected for the application.

Create a new application as described in the steps that follow.

Click the Add Application icon in the taskbar. The Application window appears.

Step 2 Enter a name for this application.

The name cannot contain spaces and special characters.

Step 3 (Optional) Enter a comment in the Comments field.

The comment you enter appears in the Applications window.

Step 4 Check the Enable Statisticscheck box to allow the WAAS Central Manager to collect data for this application. To disable data collection for this application, uncheck this box.

The WAAS Central Manager GUI can display statistics for up to 25 applications and 25 class maps. An error message is displayed if you try to enable more than 25 statistics for either. However, you can use the WAAS CLI to view statistics for all applications that have policies on a specific WAAS device. For more information, refer to the Cisco Wide Area Application Services Command Reference.

If you are collecting statistics for an application and decide to disable statistics collection, then reenable statistics collection at a later time, the historical data will be retained, but a gap in data will exist for the time period when statistics collection was disabled. An application cannot be deleted if there is an optimization policy using it. However, if you delete an application that you had collected statistics for, then later recreate the application, the historical data for the application will be lost. Only data since the recreation of the application will be displayed.

Note The WAAS Central Manager does not start collecting data for this application until you finish creating the entire optimization policy.

Step 5 Click OK.

The application definition is saved and is displayed in the application list.

Creating an Optimization Policy

After you create an application definition, you need to create an optimization policy that determines the action a WAAS device takes on the specified traffic. For example, you can create an optimization policy that makes a WAAS device apply TCP optimization and compression to all application traffic that travels over a specific port or to a specific IP address. You can create up to 512 optimization policies on your WAAS system.

The traffic matching rules are contained in the application class map. These rules, known as match conditions, use Layer 2 and Layer 4 information in the TCP header to identify traffic.

Note For a WAAS Express device, the Optimization Policies window shows a subset of the fields in the standard Optimization Policies window.

Enable Service Policy option, DSCP option, and the Protocol column in the list of policy rules are not applicable to WAAS Express.

Figure 13-31 Optimization Policies Window

This window displays information about all optimization policies that reside on the selected device or device group and the position of each policy. The position determines the order in which WAAS refers to that policy when determining how to handle application traffic. To change the position of a policy, see the “Modifying the Position of an Optimization Policy” section. This window also displays the class map, source and destination IP addresses, source and destination ports, protocol, application, action, and accelerate assigned to each policy.

Note If there are version 4.x devices, you can click the Legacy View taskbar icon to view the policies as they appear in a 4.x device.

From the Optimization Policies window, you can perform the following tasks:

Configure a description, configure the Enable Service Policy setting, and configure the DSCP setting. This DSCP setting field configures DSCP settings at the device (or device group) level.

Note The device will only use this policy setting to determine what optimizations are done if Enable Service Policy is set.

Select one or more optimization policies that you want to delete, and click the Delete icon to delete the checked policies.

Select an optimization policy and click the Edit icon to modify the checked policy.

Step 4 Choose the class map from the Class-Map Name drop-down list to select an existing class map for this policy or click Create New to create a new class map for this policy. For information on creating a new class map, see the “Creating an Optimization Class Map” section.

Step 5 From the Action drop-down list, choose the action that your WAAS device should take on the defined traffic. Table 13-5 describes each action.

Note For a WAAS Express device, only a subset of the actions are available. These include: Passthrough, TFO Only, TFO with LZ, TFO with DRE, and TFO with DRE and LZ.

Prevents the WAAS device from optimizing the application traffic defined in this policy by using TFO, DRE, or compression. Traffic that matches this policy can still be accelerated if an accelerator is chosen from the Accelerate drop-down list.

TFO Only

Applies a variety of transport flow optimization (TFO) techniques to matching traffic. TFO techniques include BIC-TCP, window size maximization and scaling, and selective acknowledgement. For a more detailed description of the TFO features, see the “TFO Optimization” section.

TFO with DRE (Adaptive Cache)

Applies both TFO and DRE with adaptive caching to matching traffic.

TFO with DRE (Unidirectional Cache)

Applies both TFO and DRE with unidirectional caching to matching traffic.

TFO with DRE (Bidirectional Cache)

Applies both TFO and DRE with bidirectional caching to matching traffic.

TFO with LZ Compression

Applies both TFO and the LZ compression algorithm to matching traffic. LZ compression functions similarly to DRE but uses a different compression algorithm to compress smaller data streams and maintains a limited compression history.

1.When configuring a device running a WAAS version prior to 4.4.1, options that include Unidirectional or Adaptive caching are not shown in the Action list.

Note When ICA acceleration is enabled, all connections are processed with the DRE mode as unidirectional. Acceleration type is shown as TIDL (TCP optimization, ICA acceleration, DRE, LZ).

Note When configuring optimization policies on a device group, if the device group contains devices running a WAAS version prior to 4.4.1 and you are configuring an action that includes Unidirectional or Adaptive caching, the caching mode is converted to bidirectional. Similarly, when devices running WAAS versions prior to 4.4.1 join a device group that is configured with optimization policies that use Unidirectional or Adaptive caching, the caching mode is converted to bidirectional. In such cases, we recommend that you upgrade all devices to the same software version or create different device groups for devices with incompatible versions.

Step 6 From the Accelerate drop-down list, choose one of the following additional acceleration actions that your WAAS device should take on the defined traffic:

Note For a WAAS Express device, the available accelerators are CIFS Express and HTTP Express.

Step 7 Specify the application that you want to be associated with this policy by doing either of the following:

From the Application drop-down list, choose an existing application like the one that you created in the “Creating an Application Definition” section. This list displays all predefined and new applications on your WAAS system.

Click New Application to create an application. You can specify the application name and enable statistics collection. After specifying the application details, click OK to save the new application and return to the Optimization Policy window. The new application is automatically assigned to this device or device group.

Step 8 (Optional) Choose a value from the DSCP Marking drop-down list. You can choose copy, which copies the DSCP value from the incoming packet and uses it for the outgoing packet. If you choose inherit-from-name from the drop-down list, the DSCP value defined at the application or global level is used.

DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic. Levels of service are assigned by marking each packet on the network with a DSCP code and associating a corresponding level of service. DSCP is the combination of IP Precedence and Type of Service (ToS) fields. For more information, see RFC 2474.

DSCP marking does not apply to pass-through traffic.

Note For a WAAS Express device, the DSCP Marking drop-down list is not shown.

For the DSCP marking value, you can choose to use the global default values (see the “Defining Default DSCP Marking Values” section) or select one of the other defined values. You can choose copy, which copies the DSCP value from the incoming packet and uses it for the outgoing packet.

Step 9 Click OK.

The new policy appears in the Optimization Policies window. (See Figure 13-31.)

Note For a WAAS Express device, Protocol and EPM Custom UUID settings are not applicable.

Figure 13-33 Adding a New Match Condition Window

Step 5 Enter a value in one of the destination or source condition fields to create a condition for a specific type of traffic.

For example, to match all traffic going to IP address 10.10.10.2, enter that IP address in the Destination IP Address field.

Note To specify a range of IP addresses, enter a wildcard subnet mask in either the destination or source IP Wildcard field in dotted decimal notation (such as 0.0.0.255 for /24).

If you want to match traffic that uses dynamic port allocation, choose the application identifier from the Protocol drop-down list. For example, to match Microsoft Exchange Server traffic that uses the MAPI protocol, choose mapi. If you want to enter a custom EPM UUID, choose epm-uuid and enter the UUID in the EPM Custom UUID field.

Step 6 Add additional match conditions as needed and click OK to save the class map. If any one of the conditions is matched, the class is considered matched.

The Policy Report for Devices tab appears. This report lists each device (or device group) and the overall policy count on the device (or device group) referencing this application. It includes both active policies (those in use by the device or device group), and backup policies (those not in use by the device when the device gets its config from a device group). When the device is deassigned from the device group, the backup policies are applied back to the device and become active again.

An application cannot be deleted unless the No of Policies field is 0.

Figure 13-34 Optimization Policy Report

Step 2 Select the Policy Report for Device-Groups tab to view the number of devices per device group and the number of active policies in the device group.

Step 3 To see the optimization policies that are defined on a particular device or group, click the device or group to view the policies in the Optimization Policies window.

Step 3 Click the Restore Default taskbar icon to restore over 150 policies and class maps that shipped with the WAAS software and remove any new policies that were created on the system. If a predefined policy has been changed, these changes are lost and the original settings are restored.

Monitoring Applications and Class Maps

After you create an optimization policy, you should monitor the associated application to make sure your WAAS system is handling the application traffic as expected.

To monitor a class map, from the WAAS Central Manager menu, choose Configure > Acceleration > Monitor Classmaps. Select the class map on which to enable statistics and click the Enable button.

The WAAS Central Manager GUI can display statistics for up to 25 applications and 25 class maps. An error message is displayed if you try to enable more than 25 statistics for either. However, you can use the WAAS CLI to view statistics for all applications that have policies on a specific WAAS device. For more information, refer to the Cisco Wide Area Application Services Command Reference.

Most charts can be configured to display Class Map data by clicking the chart Edit icon and choosing the Classifier series.

Defining Default DSCP Marking Values

According to policies that you define in an application definition and an optimization policy, the WAAS software allows you to set a DSCP value on packets that it processes.

A DSCP value is a field in an IP packet that enables different levels of service to be assigned to the network traffic. The levels of service are assigned by marking each packet on the network with a DSCP code and associating a corresponding level of service. The DSCP marking determines how packets for a connection are processed externally to WAAS. DSCP is the combination of IP Precedence and Type of Service (ToS) fields. For more information, see RFC 2474. DSCP values are predefined and cannot be changed.

This attribute can be defined at the following levels:

Global—You can define global defaults for the DSCP value for each device (or device group) in the Optimization Policies page for that device (or device group). This value applies to the traffic if a lower level value is not defined.

Policy—You can define the DSCP value in an optimization policy. This value applies only to traffic that matches the class maps defined in the policy and overrides the application or global DSCP value.

Step 3 Choose a value from the DSCP drop-down list. The default setting is copy, which copies the DSCP value from the incoming packet and uses it for the outgoing packet.

Step 4 Click OK to save the settings.

Modifying the Position of an Optimization Policy

Each optimization policy has an assigned position that determines the order in which a WAAS device refers to the policy in an attempt to classify traffic. For example, when a WAAS device intercepts traffic, it refers to the first policy in the list to try to match the traffic to an application. If the first policy does not provide a match, the WAAS device moves on to the next policy in the list.

You should consider the position of policies that pass through traffic unoptimized because placing these policies at the top of the list can cancel out optimization policies that appear farther down the list. For example, if you have two optimization policies that match traffic going to IP address 10.10.10.2, and one policy optimizes this traffic and a second policy in a higher position passes through this traffic, then all traffic going to 10.10.10.2 will go through the WAAS system unoptimized. For this reason, you should make sure that your policies do not have overlapping matching conditions, and you should monitor the applications you create to make sure that WAAS is handling the traffic as expected. For more information on monitoring applications, see Chapter17, “Monitoring and Troubleshooting Your WAAS Network”

Modifying the Acceleration TCP Settings

In most cases, you do not need to modify the acceleration TCP settings because your WAAS system automatically configures the acceleration TCP settings based on the hardware platform of the WAE device. WAAS automatically configures the settings only under the following circumstances:

When you first install the WAE device in your network.

When you enter the restore factory-default command on the device. For more information about this command, see the Cisco Wide Area Application Services Command Reference.

The WAAS system automatically adjusts the maximum segment size (MSS) to match the advertised MSS of the client or server for each connection. The WAAS system uses the lower of 1432 or the MSS value advertised by the client or server.

Checking the Send TCP Keepalive check box allows this WAE device or group to disconnect the TCP connection to its peer device if no response is received from the TCP keepalive exchange. In this case, the two peer WAE devices will exchange TCP keepalives on a TCP connection and if no response is received for the keepalives for a specific period, the TCP connection will be torn down. When the keepalive option is enabled, any short network disruption in the WAN will cause the TCP connection between peer WAE devices to be disconnected.

If the Send TCP Keepalive check box is not checked, TCP keepalives will not be sent and connections will be maintained unless they are explicitly disconnected. By default, this setting is enabled.

Step 4 Modify the TCP acceleration settings as needed. See Table 13-6 for a description of these settings.

Step 5 If you are deploying the WAE across a high Bandwidth-Delay-Product (BDP) link, you can set recommended values for the send and receive buffer sizes by clicking the Set High BDP recommended values button. For more information about calculating TCP buffers for high BDP links, see the “Calculating the TCP Buffers for High BDP Links” section.

Step 6 Click Submit.

Note If the original and optimized maximum segment sizes are set to their default values and you configure a jumbo MTU setting, the segment sizes are changed to the jumbo MTU setting minus 68 bytes. If you have configured custom maximum segment sizes, their values are not changed if you configure a jumbo MTU. For more information on jumbo MTU, see the “Configuring a Jumbo MTU” section.

To configure TCP keepalives from the CLI, use the tfo tcp keepalive global configuration command.

Calculating the TCP Buffers for High BDP Links

WAAS software can be deployed in different network environments, involving multiple link characteristics such as bandwidth, latency, and packet loss. All WAAS devices are configured to accommodate networks with maximum Bandwidth-Delay-Product (BDP) of up to the values listed below:

WAE-512—Default BDP is 32 KB

WAE-612—Default BDP is 512 KB

WAE-674 —Default BDP is 2048 KB

WAE-7341 —Default BDP is 2048 KB

WAE-7371 —Default BDP is 2048 KB

All WAVE platforms—Default BDP is 2048 KB

If your network provides higher bandwidth or higher latencies are involved, use the following formula to calculate the actual link BDP:

BDP [Kbytes] = (link BW [Kbytes/sec] * Round-trip latency [Sec])

When multiple links 1..N are the links for which the WAE is optimizing traffic, the maximum BDP should be calculated as follows:

MaxBDP = Max (BDP(link 1),..,BDP(link N))

If the calculated MaxBDP is greater than the DefaultBDP for your WAE model, the Acceleration TCP settings should be modified to accommodate that calculated BDP.

Once you calculate the size of the Max BDP, enter a value that is equal to or greater than twice the Max BDP in the Send Buffer Size and Receive Buffer Size for the optimized connection on the Acceleration TCP Settings window.

Note These manually configured buffer sizes apply only if TCP adaptive buffering is disabled. TCP adaptive buffering is normally enabled, and allows the WAAS system to dynamically vary the buffer sizes. For more information on TCP adaptive buffering, see the “Modifying the TCP Adaptive Buffering Settings” section.

Modifying the TCP Adaptive Buffering Settings

In most cases, you do not need to modify the acceleration TCP adaptive buffering settings because your WAAS system automatically configures the TCP adaptive buffering settings based on the network bandwidth and delay experienced by each connection. Adaptive buffering allows the WAAS software to dynamically vary the size of the send and receive buffers to increase performance and more efficiently use the available network bandwidth.